准备工作
1、开启一台Linode,获取IP后查一下有没有不良记录,因为是用来做站的,要尽量保证IP没有做垃圾站、色情站等不良记录。
访问https://dnslytics.com/ip/66.175.xxx.xxx
查看IP详情,注意要替换为自己的IP。
2、记录下Linode的root密码。
3、生成一个密钥对供后面配置密钥登陆:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
详情参考:https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/
生成密钥后将私钥放到~/keys/id_rsa_linode.pem
这里,当然这是本文的一个约定,你可以放到其它你喜欢的地方。
SSH登陆Linode并更新系统
登陆系统:
[email protected] MSYS /D/Documents/project/coding $ ssh [email protected] The authenticity of host '66.175.xxx.xxx (66.175.xxx.xxx)' can't be established. ECDSA key fingerprint is SHA256:x7zsrIke28kKqL+AWTjZGkvOfyhSeO1E6fzd55Crdh8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '66.175.xxx.xxx' (ECDSA) to the list of known hosts. [email protected]'s password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.15.13-x86_64-linode106 x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Tue Mar 7 20:18:09 2017
尝试更新系统,可能会碰到Connecting to security.ubuntu.com问题:
$ apt update ... ... 0% [Connecting to security.ubuntu.com (2001:67c:1562::16)] ... ... Fetched 5,670 kB in 2min 17s (41.2 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done 150 packages can be upgraded. Run 'apt list --upgradable' to see them.
apt update连接security.ubuntu.com时超时的这个问题,在Vultr、Digital Ocean、UpCloud都没碰到过,是Linode的某个默认配置导致的。解决办法是改一下配置文件:
详情参考https://askubuntu.com/questions/620317/apt-get-update-stuck-connecting-to-security-ubuntu-com
vim /etc/gai.conf
取消这行的注释
# precedence ::ffff:0:0/96 100
此行的具体位置,在这行的下面:
# For sites which prefer IPv4 connections change the last line to
修复上面的问题后,我们完成初始更新系统,可以看到下载、运行非常快:
$ apt update ... ... $ apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done ... ... Fetched 57.3 MB in 1s (50.1 MB/s) Extracting templates from packages: 100% Preconfiguring packages ...
配置密钥登陆
# 在用户家目录的ssh配置文件中添加前面生成的密钥对的公钥,vim编辑文件时将公钥的内容粘贴为文件中独立的一行就可以了。 mkdir .ssh vim .ssh/authorized_keys # 本地配置登陆信息,在本地机器的~/.ssh/config中以以下格式添加配置信息: Host linode Hostname 66.175.xxx.xxx User root IdentityFile ~/keys/id_rsa_linode.pem # 另一个终端或tab中尝试ssh登陆,如果成功则按下面的说明禁用密码登陆 ssh linode # 禁用密码登陆 vim /etc/ssh/sshd_config # 将下面第二行的yes改为no,第一行是一个说明,也方便你定位 # Change to no to disable tunnelled clear text passwords PasswordAuthentication no # 重启sshd服务 service sshd reload # 安装常用软件 apt install git tmux unzip
申请SSL证书
为域名配置临时访问
如果网站流量不是很大,一台$5/月的Linode上完全可以跑多个站点,这里介绍的申请SSL证书的场景是为多个域名申请,当然为单个域名申请就更简单了,很容易分辨出应该省略哪些步骤。
为主域名申请SSL证书时需要访问域名下的一个指定文件,这是申请过程中的一个必要的验证步骤。这里我们批量为需要申请SSL证书的域名配置虚拟主机,将所有域名都放到一台虚拟主机中就可以;一个域名作为ServerName,其余配置为ServerAlias。
将下面的配置信息编辑复制到/etc/apache2/sites-available/tmp.conf
后执行a2ensite tmp.conf
、service apache2 reload
,根据需要将examplesite[x].com替换为你的多个其它域名,或者删掉。
ServerName vps123.top ServerAlias examplesite1.com ServerAlias examplesite2.com ServerAlias examplesite3.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html/wordpress Options -Indexes +FollowSymLinks Include /etc/apache2/custom.d/globalblacklist.conf DirectoryIndex index.php AllowOverride All Require all denied ErrorLog $APACHE_LOG_DIR/error.log CustomLog $APACHE_LOG_DIR/access.log combined
关于申请证书的说明
这里我们分别为主域名和通配符域名申请证书,需要注意通配符域名的证书*.yourdomain.com
是不包括youdomain.com
的。
为youdomain.com
申请证书需要将域名配置为可访问,以便证书提供者通过访问指定的验证文件确认我们拥有此域名,所以上面我们要先准备虚拟主机。
为*.yourdomain.com
申请证书需要为域名添加一条TXT解析记录,为保险起见我们会在添加这条记录后几十分钟输入回车验证,为避免申请过程被中断的ssh会话终止,这个验证请在tmux、screen等会话环境中进行。
为通配符域名申请证书时,使用的是ACME的v2协议,输入命令后会重新设置一个新账户,跟申请主域名证书时使用的账户是不一样的。
我们可能为同一个域名申请多张证书,比如主域名证书和通配符域名证书就是两张不同的证书;第一张证书默认会放在/etc/letsencrypt/live/yourdomain.com
面临下面,而更多的证书会加上数字后缀存放,例如第二张证书的相关文件会存放在/etc/letsencrypt/live/yourdomain.com-0001
下面,依此类推。
如果上面的说明你看不懂,就按顺序敲命令就可以了,走一遍流程就明白了。我们先申请主域名证书,再申请通配符域名证书,以确保两张证书分别存储在约定的目录下。
申请主域名证书
[email protected]:/etc/apache2/sites-available# certbot certonly --manual Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): vps123.top Obtaining a new certificate Performing the following challenges: http-01 challenge for vps123.top ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. # 一个询问,Y即可 Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: y ------------------------------------------------------------------------------- =====插入的说明开始 # 根据说明在域名所指向的目录下创建.well-known/acme-challenge/5qyAoi6mwUCiv6Gc00NtGI5u7DmQ8WBlycaPYJ9Dvio这个文件,并在其中写入指定的字符串 # 在tmux开启一个新的终端tab cd /var/www/html/wordpress mkdir -p .well-known/acme-challenge vim .well-known/acme-challenge/5qyAoi6mwUCiv6Gc00NtGI5u7DmQ8WBlycaPYJ9Dvio # 写入下面指定的字符串后:wq保存退出,回车前先自己访问下面的URL试试。 =====插入的说明结束 Create a file containing just this data: 5qyAoi6mwUCiv6Gc00NtGI5u7DmQ8WBlycaPYJ9Dvio.6GFfpzZTD8IrUR-yDQ-r7tamQ6tS1uakz5a0jY4PdeY And make it available on your web server at this URL: http://vps123.top/.well-known/acme-challenge/5qyAoi6mwUCiv6Gc00NtGI5u7DmQ8WBlycaPYJ9Dvio ------------------------------------------------------------------------------- Press Enter to Continue # 回车后输出下面的信息,表示证书申请成功了 Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/vps123.top/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/vps123.top/privkey.pem Your cert will expire on 2018-09-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
申请通配符域名的证书
因为申请通配符域名的证书使用的是ACME的V2协议,Certbot会要求你新建一个账户,下面的命令记录了这个过程,其实就是输入邮箱并回答几个问题。
# 输入申请命令,将域名替换为你自己的 certbot certonly -d *.vps123.top --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory # 开始新建账户,填邮箱 Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected] Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory ------------------------------------------------------------------------------- # 接受协议 (A)gree/(C)ancel: a ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- # 不分享电邮 (Y)es/(N)o: n Obtaining a new certificate Performing the following challenges: dns-01 challenge for vps123.top ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- # 记录IP跟证书的绑定 (Y)es/(N)o: y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name # 要求DNS解析中添加一个TXT记录,添加完成后等一会儿回车即可,阿里云大约5分钟就可以了,namesilo有一次半小时还不行,请自己斟酌。因为有时验证失败会要求你重新添加一条TXT记录,有些麻烦,所以还是保险来比较好。可以用lookup或digg命令事先查询一下。具体参考。 _acme-challenge.vps123.top with the following value: A3O7v5vwd9AY1cwvBvTBZLizcY8sd4giGgDxWy-VY0c Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue # 回车后输出申请成功的信息
配置虚拟主机
拿vps123.top举例。我们要配置http://vps123.top
、http://www.vps123.top
、https://vps123.top
、https://www.vps123.top
这四个站点域名,可以选择将其都指向https://vps123.top
,也可以选择将其都指向https://www.vps123.top
。本站提供一个配置脚本,可以一键实现这个配置。下面是使用办法:
# 从vps123.top下载这个脚本并立即执行,保险起见你可以先查看一下这个脚本的内容 $ wget https://vps123.top/vhost.sh | - # 以下就是执行这个脚本的过程,就是回答四个问题,脚本会使用这四个变量决定配置文件的一些字段内容。 # 脚本会为域名分别添加在80和443端口监听的虚拟主机,将配置文件写入到
/etc/apache2/sites-available
,然后使用a2ensite启用这两个虚拟主机,并使用a2enmod开启ssl和rewrite模块。 输入站点名称,用于配置文件以及日志文件的命名: vps123 输入域名,domain.com形式,前面不要加www等: vps123.top 输入程序路径,如/var/www/html/wordpress,结尾不要加/: /var/www/html/wordpress www跳转到主域名填1,主域名跳转到www填2: 1 Module rewrite already enabled Module ssl already enabled Enabling site vps123. To activate the new configuration, you need to run: systemctl reload apache2 Enabling site vps123-le-ssl. To activate the new configuration, you need to run: systemctl reload apache2 work done!
执行service apache2 reload
载入新的配置。
测试配置的301跳转是否工作正常,正常的话应该都有到https://vps123.top
的301跳转:
$ curl http://vps123.top
The document has moved here.
$ curl http://www.vps123.top
The document has moved here.
$ curl https://www.vps123.top
The document has moved here.
配置Apache开启HTTP2、Brotli压缩、缓存
开启HTTP2
# 添加ppa源,这里使用的16.04LTS官方版本不提供http2 $ add-apt-repository ppa:ondrej/apache2 # 更新apache $ apt update $ apt upgrade # 安装php-fpm,并启用相关模块 $ apt install php7.0-fpm $ a2enmod proxy_fcgi setenvif $ a2enconf php7.0-fpm $ a2dismod php7.0 $ a2dismod mpm_prefork $ a2enmod mpm_event # 重启php-fpm服务 $ service php7.0-fpm restart # 开启http2并重启apache $ a2enmod http2 $ service apache2 restart
开启brotli压缩
# 安装brotli模块 $ apt install brotli # 编辑配置文件,写入下面的行,为常见的文本类型启用brotli压缩 $ vim /etc/apache2/mods-available/brotli.conf AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript # 启用此模块 $ a2enmod brotli $ service apache2 restart # 可以chrome控制台看一下是否启用成功,也可以curl下载文件看一下 $ curl https://vps123.top/wp-content/themes/topvps/style.css -H 'Accept-Encoding: br' > style.css # 强制使用br编码,下载的文件如果是压缩过的非plain text,说明成功了 $ curl https://vps123.top/wp-content/themes/topvps/style.css -H 'Accept-Encoding: gzip, deflate, br' > style.css # 模拟浏览器
配置缓存
# 先编辑配置文件 $ vim /etc/apache2/mods-available/expires.conf
# 开启使用expires ExpiresActive on # 按文件类型指定过期时间 # access = now # modification # plus (int) years / months / weeks / days / hours / minutes / seconds ExpiresByType image/gif "access plus 1 weeks" ExpiresByType image/jpeg "access plus 1 weeks" ExpiresByType image/png "access plus 1 weeks" ExpiresByType text/css "access plus 1 weeks" ExpiresByType application/javascript "access plus 1 weeks" ExpiresByType application/x-javascript "access plus 1 weeks" ExpiresByType application/x-shockwave-flash "access plus 1 weeks" # 其余不缓存 ExpiresDefault "access plus 0 minutes" # 启用模块 $ a2enmod expires # 测试配置 $ apache2ctl configtest Syntax OK # 重启apache $ service apache2 restart
安装Wordpress
准备数据库并配置用户和权限
CREATE DATABASE `dbname` CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_bin'; grant all privileges on dbname.* to 'user'@'localhost' identified by 'password' with grant option;
安装WP-CLI
WP-CLI是一个在终端管理Wordpress的官方工具,详情请参考。安装WP-CLI后参考下面的内容完成WordPress的安装。
# 生成wp-config配置文件 [email protected]:/var/www/html/wordpress# wp config create --dbname=vps123 --dbuser=user --dbpass=password --locale=zh_CN --allow-root Success: Generated 'wp-config.php' file. # 准备数据库 [email protected]:/var/www/html/wordpress# wp core install --url=https://vps123.top --title="VPS Beginner" --admin_user=qiushan@vps123 [email protected] --skip-email --allow-root Admin password: 6vjzLrm2B(U)61oKh0 Success: WordPress installed successfully. # 安装中文语言包 $ wp language core install zh_CN --allow-root Downloading translation from https://downloads.wordpress.org/translation/core/4.9.2/zh_CN.zip... Unpacking the update... Installing the latest version... Translation updated successfully. Success: Language installed. # 激活中文 $ wp language core activate zh_CN --allow-root Success: Language activated. # 为主题、插件等安装中文语言 $ wp language core update --allow-root Updating 'Chinese (China)' translation for Akismet Anti-Spam 4.0.3... 正在从 https://downloads.wordpress.org/translation/plugin/akismet/4.0.3/zh_CN.zip 下载翻译… 正在解压缩升级文件... 正在安装最新版本... 翻译升级成功。 Updating 'Chinese (China)' translation for 1.6... 正在从 https://downloads.wordpress.org/translation/plugin/hello-dolly/1.6/zh_CN.zip 下载翻译… 正在解压缩升级文件... 正在安装最新版本... 翻译升级成功。 Updating 'Chinese (China)' translation for Twenty Fifteen 2.0... 正在从 https://downloads.wordpress.org/translation/theme/twentyfifteen/2.0/zh_CN.zip 下载翻译… 正在解压缩升级文件... 正在安装最新版本... 翻译升级成功。 Updating 'Chinese (China)' translation for Twenty Seventeen 1.6... 正在从 https://downloads.wordpress.org/translation/theme/twentyseventeen/1.6/zh_CN.zip 下载翻译… 正在解压缩升级文件... 正在安装最新版本... 翻译升级成功。 Updating 'Chinese (China)' translation for Twenty Sixteen 1.5... 正在从 https://downloads.wordpress.org/translation/theme/twentysixteen/1.5/zh_CN.zip 下载翻译… 正在解压缩升级文件... 正在安装最新版本... 翻译升级成功。 Success: Updated 5/5 translations.
-- EOF --
本文最后修改于7年前 (2018-06-05)